How to Strengthen the Security of Your WordPress Install

The developers of WordPress work hard to develop a strong and powerful system for creating websites. While the system may be sturdy, there is always more that can be done to improve WordPress security.

This isn’t saying you’ll be hacked right away. However, it doesn’t hurt to implement WordPress security best practices to keep your site safe.

In this tutorial, I’m going to show you some of the best WordPress security tips that will vastly decrease risk to your content. I cannot guarantee that you’ll never be attacked, but these practices will surely help.

Change Database Table Prefix Before Installation

WordPress will use a database table prefix of “wp_.” This is common knowledge among those targeting the popular content management system. During the install process for WordPress, you can change this prefix to something unique.

Changing the prefix of the database reduces the possibility of hackers gaining control of it. This is because it is more difficult to find.

If you use something like Softaculous to install WordPress, you can change the table prefix in the “Advanced Options” to something unique. For example, you could use “gt76x_” as the prefix.

Keep in mind that Softaculous will create a random database table prefix automatically. For instance, one table may be labeled, “wpts_” while another installation will use “wpep_”. This means Softaculous is already boosting the security of your site without worrying about changing settings.

Prior to installation, edit the wp-config-sample.php file of WordPress. Change the “wp_” part of the code in the $table_prefix line.

For example, you could put in something like:

$table_prefix = ‘ffd4_‘

This would change the prefix of your tables in WordPress during the installation. Rename the wp-config-sample.php file to wp-config.php and then run the installation for WordPress like normal.

Use a Unique Username

Some people will leave the default administrator user name as, “admin.” This gives hackers half of the credentials for hacking the site. Now all they would need is the password. Always use a unique username when installing WordPress.

But what if you already installed and are using, “admin?” This is easy to change, and I would advise you to do it immediately.

From the WordPress dashboard, click the User section.

As you don’t have access to change a person’s username, you need to create a new account. Click the “Add New” button on the top.

Create a new administrator user account for yourself using a completely unique username. Unfortunately, you cannot register the same email address in WordPress under two users. So, you have two options:

Go into the “admin” account and change the address to something like address@address.com. It doesn’t have to be a real address, especially since you’ll be deleting the account in a moment. This lets you use your original email address on the new account.

Input a new email address into WordPress.

Click the “Add New User” button on the bottom when you’re ready.

Log into WordPress using your new admin credentials and check that you have administrative access to the entire site.

From the Users screen, hover your mouse over the old “admin” account and click “Delete.”

In the next screen, click the “Confirm Deletion” button.

Password Protect the “wp-admin” Folder

One good way of keeping unwanted people from accessing your admin files is to password protect the folder. This is very easy from the cPanel dashboard.

Click the “Directory Privacy” tool in the Files section.

You don’t want to add a password to any of the default folders. Otherwise, no one would be able to visit the website unless they knew the password. Click the “Settings” button on the far right.

Click the “Document Root for:” radio button and select your domain from the drop down box.

Click the “wp-admin” link to open its settings.

Select the option for “Password protect this directory.”

Create a username and password for accessing the admin folder. This is separate from the login screen for WordPress. Click the “Save” button to commit your changes.

If anyone tries to access the wp-admin folder outside of WordPress, they will have to know the username and password.

.htaccess of wp-admin Folder

One method of denying access to the wp-admin folder is by setting up .htaccess. This is a small file that you can use to prevent all except your IP address. The only downside to this function is that you may have to re-enter your IP address periodically.

Unless you own a static IP from your internet service provider, meaning one that never changes, your address will be different when it refreshes. As a result, you will have to edit the .htaccess file so you can open the wp-admin folder.

To create the .htaccess file, go to the “wp-admin” folder of your website through File Manager in cPanel.

Click the “+ File” function from the top tool bar.

Name the new file, “.htaccess” and click “Create New File.”

Edit the .htaccess file with the following lines:

Deny from all
Allow from 194.12.15.1

Replace the “192.168.0.1” with your own IP address assigned from your internet service provider. This can be found in your internet router or by contacting your ISP’s customer support.

Click the “Save Changes” button on the top right of the editing screen in File Manager.

This is only one of many ways you can secure a folder using .htaccess. Just keep in mind that your IP address has to match the one in the file if you want direct access to the wp-admin folder.

You can also include the .htaccess file in various folders throughout your website if you want to keep all of those sections locked down as well. However, it might be time consuming if you have to change the address each time you need to access those resources if your IP changes.

Security Plugins

Perhaps one of the easiest ways to protect your website is installing one of the best WordPress security plugins. There are many to choose from and each offers a great deal of safety and security.

Wordfence Security
One of the best WordPress security plugins you can install is Wordfence Security. This free tool comes with a range of functions from file scanning to protecting the login screen of your website. It shields you from more than 44,000 threats and prevents the development of known backdoor security holes. Because it’s free to set up, you lose nothing but time trying it out.

Keep Plugins, Themes and WordPress Files Updated

WordPress security best practices include keeping your files up-to-date and current. You can choose automatic updates if you install WordPress using Softaculous. However, it’s almost as easy to simply update your plugins directly in your admin dashboard.

Click the Update function when one becomes available and install it.

Perform Regular Backups

Keeping regular backups will prevent you from losing the site in the event of a disaster. It’s perhaps one of the most important parts of maintaining any kind of a site whether it’s an online store or a personal blog.

UpdraftPlus WordPress Backup PluginUpdraftPlus is an excellent option for creating backups. Not only does this plugin create copies of your files and databases, but it also integrates with cloud storage sites. For instance, you can have UpdraftPlus save your backup copies directly to Dropbox or Google Drive as well as other services.

Keep Your Site Secure

There’s no such thing as having too much security on your website. Because of the nature of the Internet, it’s not a question of “if” you’ll be the target of an attack but “when.” Do your part to keep your files and content safe. Even some of the smallest additions can have a profound impact in WordPress security.

What kind of plugins do you enjoy when it comes to protecting WordPress? How often do you create backups of your website?

My name is Josh Dargie and I’m the Operations Manager at GreenGeeks. I’ve been with the company since 2009. I have over 16 years of experience working with and for various web hosting providers specifically in development, day-to-day operations and customer service.